Hi Bjorn,
even more output, this time from the /var/log/messages file, giving the results of one try to ping the subnet behind the gateway
===================================================================
Nov 28 16:44:21 iort3 Pluto[1670]: | instantiated "devil-zara" for 62.137.60.29
Nov 28 16:44:21 iort3 Pluto[1670]: "devil-zara" #15: responding to Main Mode fro
m unknown peer 62.137.60.29
Nov 28 16:44:22 iort3 Pluto[1670]: "devil-zara" #15: Peer ID is ID_FQDN: '@devil
.iosystems.co.uk'
Nov 28 16:44:22 iort3 Pluto[1670]: "devil-zara" #15: deleting connection "devil-
zara" instance with peer 62.137.82.181
Nov 28 16:44:22 iort3 Pluto[1670]: "devil-zara" #13: deleting state (STATE_MAIN_
R3)
Nov 28 16:44:22 iort3 Pluto[1670]: "devil-zara" #15: STATE_MAIN_R3: sent MR3, IS
AKMP SA established
Nov 28 16:44:23 iort3 Pluto[1670]: "devil-zara" #16: responding to Quick Mode
Nov 28 16:44:23 iort3 Pluto[1670]: | route owner of "devil-zara" CK_INSTANCE unr
outed: NULL; eroute owner: NULL
Nov 28 16:44:23 iort3 Pluto[1670]: | route owner of "devil-zara" CK_INSTANCE unr
outed: NULL; eroute owner: NULL
Nov 28 16:44:23 iort3 Pluto[1670]: | route owner of "devil-zara" CK_INSTANCE unr
outed: NULL; eroute owner: NULL
Nov 28 16:44:23 iort3 Pluto[1670]: | executing up-client: 2>&1 PLUTO_VERSION='1.
1' PLUTO_VERB='up-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP='62.137.6
0.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIENT='128.0.
0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO
_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CLIENT_NET='
62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:23 iort3 Pluto[1670]: | executing prepare-client: 2>&1 PLUTO_VERSIO
N='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP
='62.137.60.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIE
NT='128.0.0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.
0.0' PLUTO_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CL
IENT_NET='62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:24 iort3 Pluto[1670]: | executing route-client: 2>&1 PLUTO_VERSION=
'1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP='62
.137.60.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIENT='
128.0.0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0'
 PLUTO_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CLIENT
_NET='62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:24 iort3 Pluto[1670]: "devil-zara" #16: route-client output: SIOCAD
DRT: Network is unreachable
Nov 28 16:44:24 iort3 Pluto[1670]: "devil-zara" #16: route-client output: /usr/l
ib/ipsec/_updown: `route add -net 62.137.60.29 netmask 255.255.255.255' failed
Nov 28 16:44:24 iort3 Pluto[1670]: "devil-zara" #16: route-client command exited
 with status 7
Nov 28 16:44:24 iort3 Pluto[1670]: | executing down-client: 2>&1 PLUTO_VERSION='
1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP='62.1
37.60.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIENT='12
8.0.0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' P
LUTO_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CLIENT_N
ET='62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:33 iort3 Pluto[1670]: | handling event EVENT_RETRANSMIT for 62.137.
60.29 "devil-zara" #16
Nov 28 16:44:33 iort3 Pluto[1670]: | route owner of "devil-zara" CK_INSTANCE unr
outed: NULL; eroute owner: NULL
Nov 28 16:44:33 iort3 Pluto[1670]: | route owner of "devil-zara" CK_INSTANCE unr
outed: NULL; eroute owner: NULL
Nov 28 16:44:33 iort3 Pluto[1670]: | executing up-client: 2>&1 PLUTO_VERSION='1.
1' PLUTO_VERB='up-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP='62.137.6
0.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIENT='128.0.
0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' PLUTO
_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CLIENT_NET='
62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:33 iort3 Pluto[1670]: | executing prepare-client: 2>&1 PLUTO_VERSIO
N='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP
='62.137.60.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIE
NT='128.0.0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.
0.0' PLUTO_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CL
IENT_NET='62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:33 iort3 Pluto[1670]: | executing route-client: 2>&1 PLUTO_VERSION=
'1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP='62
.137.60.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIENT='
128.0.0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0'
 PLUTO_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CLIENT
_NET='62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:33 iort3 Pluto[1670]: "devil-zara" #16: route-client output: SIOCAD
DRT: Network is unreachable
Nov 28 16:44:33 iort3 Pluto[1670]: "devil-zara" #16: route-client output: /usr/l
ib/ipsec/_updown: `route add -net 62.137.60.29 netmask 255.255.255.255' failed
Nov 28 16:44:33 iort3 Pluto[1670]: "devil-zara" #16: route-client command exited
 with status 7
Nov 28 16:44:33 iort3 Pluto[1670]: | executing down-client: 2>&1 PLUTO_VERSION='
1.1' PLUTO_VERB='down-client' PLUTO_CONNECTION='devil-zara' PLUTO_NEXT_HOP='62.1
37.60.29' PLUTO_INTERFACE='ipsec0' PLUTO_ME='217.33.203.132' PLUTO_MY_CLIENT='12
8.0.0.0/16' PLUTO_MY_CLIENT_NET='128.0.0.0' PLUTO_MY_CLIENT_MASK='255.255.0.0' P
LUTO_PEER='62.137.60.29' PLUTO_PEER_CLIENT='62.137.60.29/32' PLUTO_PEER_CLIENT_N
ET='62.137.60.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' ipsec _updown
Nov 28 16:44:33 iort3 Pluto[1670]: ERROR: "devil-zara" #16: pfkey write() of SAD
B_DELETE message 164 for Delete SA esp.961da5b@217.33.203.132 failed. Errno 3: N
o such process
Nov 28 16:44:53 iort3 Pluto[1670]: | handling event EVENT_RETRANSMIT for 62.137.
60.29 "devil-zara" #16
Nov 28 16:45:33 iort3 Pluto[1670]: | handling event EVENT_RETRANSMIT for 62.137.
60.29 "devil-zara" #16
Nov 28 16:45:33 iort3 Pluto[1670]: "devil-zara" #16: max number of retransmissio
ns (2) reached STATE_QUICK_R1
Nov 28 16:45:33 iort3 Pluto[1670]: ERROR: "devil-zara" #16: pfkey write() of SAD
B_DELETE message 165 for Delete SA esp.961da5b@217.33.203.132 failed. Errno 3: N
o such process
=================================================================
 
Fred
-----Original Message-----
From: devil-linux-discuss-admin@lists.sourceforge.net [mailto:devil-linux-discuss-admin@lists.sourceforge.net]On Behalf Of Fred de Klein
Sent: 28 November 2002 16:32
To: devil-linux-discuss@lists.sourceforge.net
Subject: RE: [Devil-Linux-discuss] ipsec connection problem

Hi Bjorn,
agree with the strength of Linux.
I haven't got a firewall running at the moment because of the testing.
I will attach the output file of a couple of ipsec commands (look, whack --status, and barf) from the road warrior machine.
Your help and time much appreciated. The bummer is that at the moment there seems to be a bug in the subscription to the freeswan mailing list, which does not allow me to subscribe.
 
-----Original Message-----
From: devil-linux-discuss-admin@lists.sourceforge.net [mailto:devil-linux-discuss-admin@lists.sourceforge.net]On Behalf Of Bjørn Rasmussen
Sent: 28 November 2002 15:56
To: devil-linux-discuss@lists.sourceforge.net
Subject: RE: [Devil-Linux-discuss] ipsec connection problem

I agree, I've also got great help from Sam.

The great strengt of Linux and Open Source is its functionality. This has to complicate things, and is at the same time the downside. That's why administrators and advanced users love Linux, there's allways a sollution to a problem. Windows is easy if it works. If not, you've nightmare.

The ping problem: Firewallrules? Is there a specifick tunnel for that subnet?

Again: You can include a copy of your ipsec.conf files.